The launch of the Government's new certification and guidance scheme will enable businesses to demonstrate compliance with cyber security practices.
In light of recent headlines about organisations such as eBay exposing customers' information to cyber threats, businesses are putting cyber security measures to the front of their agendas, so as to be able to demonstrate their cyber security stance and compliance.
The Cyber Essentials Scheme (CES) has been developed by the Department for Business Innovation and Skills (BIS) in response to its 10 Steps to Cyber Security initiative. Industry bodies, including the Information Security Forum and the British Standards Institution, have provided input into how the CES should be implemented.
The CES is intended to fulfil two functions:
It provides a clear statement of the basic controls that all organisations should implement to mitigate the risk from common internet based threats; and
It offers a low cost mechanism for all organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.
Previously there had been no such recognised cyber security certification assurance for all businesses to adopt. The CES is open now and is applicable and available to all organisations, of all sizes and in all sectors. BAE Systems, Barclays and Hewlett- Packard are among the first companies to apply for the CES certification.
The CES provides guidance on 5 key controls:
There are two levels of certification available: Cyber Essentials, and Cyber Essentials Plus.
Cyber Essentials:
- awarded on the basis of a verified self assessment via a questionnaire approved by a senior executive e.g. a CEO.
- the questionnaire is verified by an independent Certification Body to assess whether an appropriate standard has been achieved and whether certification can be awarded.
- basic level of assurance and achieved at low cost.
Cyber Essentials Plus:
- a higher level of assurance through the external testing of the organisation's cyber security approach.
- more expensive.
The two options give businesses the choice over the level of assurance they wish to get, taking into account cost considerations. Costs will be set by the individual Certification Bodies (working in competition with each other), allowing market forces to set rates, depending on the size of the organisation and the level of rigour required. On successful completion of the assessment process, a certificate will be awarded with the appropriate badge.
However, CES can only be effective as a "snap shot" in time as at the day of assessment and therefore businesses will need to keep their technology and security up to date to keep the certification. At a minimum, to retain the certification badge organisations must recertify at least once a year. The Government believes that implementation of the CES can significantly reduce an organisations vulnerability but it is not designed to address more advanced, targeted attacks, whereby additional security measures may need to be implemented to deal with such risks.
Nevertheless, the new certification should increase the confidence of consumers that businesses have defences in place to protect against common cyber threats, together with giving businesses a competitive advantage over others and boosting their reputation. For example, from 1 October 2014, the Government will require all suppliers bidding for certain contracts which are assessed as higher risk to be Cyber Essentials certified.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
